Kenneth F. Belva

FUD Theater: Is it freezing in that road house?

My co-author, Sam Dekay, raised a question that was also on my mind. He wrote me in an email:

Why do those articulating the loss prevention position become so passionate that security is not an enabler?

Well, Sam, I think I know the reason. Here it is:

The only security model most extreme loss prevention advocates buy into is one of FUD.

I think that Richard Bejtlich’s post “Security Is Not Refrigeration” exemplifies this. Here is an excellent example from his post:

The enemy of “security” is the intruder. The intruder is a threat, meaning a party with the capabilities and intentions to exploit a vulnerability in an asset.”

The perspective of focusing on, voicing and exploiting fear, uncertainty and doubt for an agenda other than the truth is what what one might call FUD Theater*** In Richard’s case it focusing and shouting only on loss prevention through intruders, vulnerabilities and exploits.. I understand why he takes this perspective: His background is mainly hacking, incident response and forensics.

From a corporate perspective, that view of security is oversimplified. In a corporate setting dealing with intruders is only partially the case. Corporate information security managers must deal with a host of other issues such as corporate compliance, accidental (non-malicious) human harm, harm caused by natural disasters, business continuity, internal controls and human resource issues (as they relate to our information systems).

Richard is not a corporate manager; he’s a security service provider. That’s perhaps why he states that only businesses selling security generate value:

“Unless a business is actually selling security — like a MSSP — security does not generate value.”

It’s self-interested. This is not 100% incorrect; MSSPs generate value. The error is not expanding the scope of one’s view to accommodate additional truths. Microsoft did it! Microsoft sees security as an enabler (as well as loss prevention). They see that security provides value and enablement via the creation of digital assets and cash flows/revenue streams.

He questions the validity of it all when he replies:

“Returning to the idea of “enablement” — honestly, who cares?”

Here is what boggles my mind. If you are an MSSP and you can add security enablement as a service, why wouldn’t you do so? Wouldn’t you want to create another revenue stream in your MSSP by helping a business create a digital asset and a new revenue stream / cash flow in theirs? Wouldn’t you support security enablement?

Perhaps the real FUD is that security has the potential to expand its scope. “The old paradigm must be guarded!” We do mention that they are complimentary models; there is no need for fear.

I went to lunch yesterday with a friend of mine who works for IBM. When I told him I co-authored a paper on virtual trust and that security can be viewed as an enabler, he had the same reaction most did. He said that when he thinks about security he thinks about protection: firewalls, anti-virus, IPS, etc. Then I explained how authentication is used to generate a new revenue streams with E-Z Pass as the example. He changed his argument and agreed. In fact, he thought of a few different examples himself. He had nothing to gain or lose, but was at least open to the possibility of enablement and ultimately agreed with me. I did not convince him; he convinced himself. He then offered to pass our paper along to someone else within IBM.

There is certainly a need to discuss threats and intruders. There is definitely a need to discuss risk and risk management. There is also a need to discuss security enablement.

Sam and I are after pragmatic truth, not dogma generated by FUD.

*** Yes, I coined the term FUD Theater tonight! Enjoy! (This is in contrast to security theater which aims at describing when “false” security methods are established instead of ones that would be truly effective.)

Post a Comment

Your email is never published nor shared. Required fields are marked *